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Abstract — We design and analyze a method to extract secret 
keys from the randomness inherent to wireless channels. We 
study a channel model for multipath wireless channel and exploit 
the channel diversity in generating secret key bits. We compare 
the key extraction methods based both on entire channel state 
information (CSI) and on single channel parameter such as the 
received signal strength indicators (RSSI). Due to the reduction 
in the degree-of-freedom when going from CSI to RSSI, the rate 
of key extraction based on CSI is far higher than that based on 
RSSI. This suggests that exploiting channel diversity and making 
CSI information available to higher layers would greatly benefit 
the secret key generation. We propose a key generation system 
based on low-density parity-check (LDPC) codes and describe 
the design and performance of two systems: one based on binary 
LDPC codes and the other (useful at higher signal-to-noise ratios) 
based on four-ary LDPC codes. 

Index Terms — Common randomness, secret key generation, 
channel diversity, LDPC codes, Slepian-Wolf decoder 



L Introduction 

In this paper we study the generation of secret keys based 
on the inherent randomness of wireless multipath channels. 
This study falls into the broad area of physical layer security 
(see |[T| for an overview of the area). In this setting the 
objective is for a pair of users, generically referred to as Alice 
and Bob, to extract a secret key from a naturally occurring 
source of randomness observed by two users. The central idea 
is that through a public (i.e., not secret) discussion, Alice and 
Bob can de-noise their correlated observations to generate, 
with high probability, a commonly known string, which can 
serve as the key. Of course, any eavesdropper (typically named 
Eve) would use both her knowledge of the public message 
and any observation she has to guess the key. A source of 
naturally occurring randomness that would be well suited to 
the key generation application would be characterized by three 
properties. It would be easily and widely accessible, it would 
have a high level of randomness, and it would be difficult for 
Eve to observe. The randomness inherent to wireless multipath 
fading channels, such as the random amplitudes and phases of 
the channel response coefficients, satisfies all three properties. 
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The ubiquity of personal wireless devices makes a multipath 
fading channel an easily accessible, and hence very relevant, 
source of randomness. The fact that it has a high level of 
randomness and is difficult to eavesdrop is due to the physics 
of electromagnetic wave propagation. In a rich multipath 
environment wireless channels have high spatial and temporal 
variation. For instance, whenever either Alice or Bob moves, 
or whenever other scattering objects move between them, the 
channel between them changes. In terms of key extraction 
this means that there is a continual influx of new randomness 
from which to extract new and independent key bits. For the 
same reason, an eavesdropper that is listening on transmission 
between Alice and Bob and that is even a few wavelengths 
away from either will observe a nearly independent channel. 
In terms of key extraction, this makes it difficult to eavesdrop 
on the source of randomness (the channel coefficients). 

Modern wireless communication protocols typically use 
diversity signaling techniques such as orthogonal frequency- 
division multiplexing (OFDM) or Multiple Input Multiple 
Output (MIMO) antennas. These techniques exploit frequency, 
time and spatial diversity of the underlying wireless channel 
and improve the communication performance. By exploiting 
channel diversity in a similar manner in secret key generation 
one can harvest more randomness. Thus in this paper, we 
study an OFDM system as an example from the perspective 
of secret key generation. We characterize the suitableness of 
such channels for key generation, both under the assumption 
of the availability of full channel state information (CSI) and 
the assumption of the availability of only received signal 
strength indicators (RSSI). The latter is what is available to 
the higher layers of existing wireless transceivers. We show 
that by exploiting the channel diversity in the CSI, one can 
significantly increase the rate at which the secret key bits can 
be generated relative to when channel diversity is not exploited 
(such as RSSI based method). Thus making CSI available 
to the higher layers (where security is managed) in future 
transceiver designs would greatly facilitate the adoption of the 
approach we propose. We also show that when extracting keys 
from CSI, one can, without loss of rate, extracts key bits sep- 
arately from the real and the imaginary parts of each channel 
coefficient. The same is not true for amplitude and phase as 
there is correlation between the amplitudes and phases across 
two participating users. We also detail an algorithm of the 
de-noising needed in key extracted. Our algorithm is based 
on low-density parity-check (LDPC) codes. We describe two 
designs. One based on binary and one based on non-binary 
(quaternary) LDPC codes. Higher- alphabet codes are required 
to extract the full randomness of the channel at higher signal- 



to-noise ratios (SNR). 

There are many works in both theoretical analysis and 
practical implementation of physical layer security. Theoretical 
analysis in wire-tap channel date back to four decades ago 
||2|, pi More recently, Bloch et al. propose the seminal 
practical opportunistic one-way secret key agreement protocol 
for Gaussian wiretap channel in ||4j. The works done by 
Maurer |5 1 and Ahlswede and Csiszar f6l show that correlated 
randomness can be used to generate secret keys. Their works 
lay down the analytical foundations for secret key generation 
in wireless communication. Sayeed and Perrig |7| recognize 
the possibility of extracting secret keys from multipath ran- 
domness in wireless communication. Fundamental limits to 
key generation for multipath randomness are studied in |8 1- 
fl3J . In [8J, |9J the minimum energy-per-key-bit is charac- 
terized for rich fading channels and is extended in |T4| to 
sparse multipath channels. Eavesdropper with the ability to 
tamper the transmission has been studied by Maurer and Wolf 
|T5|-|T7|. More recently, Chou et al. study the secret key 
capacity of the sender-excited secret key agreement in |18|. 
Non-coherent secret key generation in which neither the sender 
nor the receiver have access to the channel state information 
has been studied in |19|. 

There are also many works on realizing physical layer 
security by designing practical secret key generating systems. 
These works are based on the earliest work by Hershey et al. 
| [2Q| and Hassan et al. |21|. Ye et al. |[22|, ||23| present an 
over-the-air implementation on 802.11 platforms, prototyping 
a systematic design using a scalar fading channel coefficient. 
Jana et al. present yet another over-the-air implementation 
using the received signal strength indicators p4| . Channel 
randomness is also exploited for device pairing f25| and 
authentication |[26|-p8l. Secret key generation system over 
MIMO has been considered in (29) and the references therein. 

There are many related design related issues. Typical secret 
key generation process consists of three phases: randomness 
exploration, reconciliation and privacy amplification J23). In 
randomness exploration, quantization is used to convert con- 
tinuous observations to discretized information bits. A good 
quantizer should not only maximize the mutual information 
between Alice and Bob's bit sequences, but also reveal limited 
information to the eavesdropper. An algorithm is proposed 
in (30), (3T| to find such a quantizer. Ye et al. |23| propose an 
over-quantization technique to extract more bits per indepen- 
dent channel training. When the channel is over- static (long 
coherence time), filtering techniques, such as Discrete Cosine 
Transform inji32j| and windowed moving average low pass 
filtering in ||23), are used to remove the redundancy in the 
extracted key bits. Reconciliation process is typically done 
using various coding techniques, such as LDPC codes f?! 
and list-encoding |25|. For a detailed survey on reconciling 
two binary random variables, se e (33 1. Finally, universal hash 
functions are widely used (Tv) , |34| for privacy amplification. 

In this paper, we show that the channel randomness can be 
further exploited through the channel diversity offered by the 
wireless front-end. We note that in many related works, such as 
(22)-(25), secret key bits are extracted from a single parameter 
observed in wireless channel. This fundamentally limits the 



rate at which the secret key bits that can be extracted. For 
instance, in 1 22 1 only one bit can be extracted per independent 
channel realization although they over-quantize it to increase 
the number of bits in their later work (23) . Similarly, in 
|25| only one bit can be extracted per coherence time. We 
thus argue that by exploiting the channel diversity in wireless 
multipath fading channel, one can significantly improve the 
secret key capacity. 

A. System overview 

To lend concreteness to the ensuing discussion we describe 
the operation of the key extraction algorithm discussed later 
in the paper. To generate their correlated observations Alice 
and Bob each transmits known channel sounding (training) 
signals to each other. This two-way training is done in two 
consecutive time slots. As long as the channel is static over 
these two time slots (the key assumption of our model (7), 
[ |24J ) then, due to the reciprocity of electromagnetic wave 
propagation, Alice and Bob both obtain (noisy) observations 
of the same multipath fading channel coefficients. Eve is 
assumed to listen to both transmissions, but due to the fast 
spatial decorrelation of multipath channels, we assume for the 
remainder of the paper that her observations are independent 
and thus useless for estimating the realized channel law. Alice 
then quantizes her observations into some finite alphabet. (If 
Alice did not quantize her observations there would be no 
way Bob could recover the exact same coefficients with high 
probability.) Alice then sends to Bob a public message. In our 
algorithm the public message is the syndrome of some length- 
N error correcting code where N is the length of Alice's 
vector of quantized channel coefficients. Bob combines the 
public message with his observations in his attempt to recover 
Alice's quantized observations. We describe two possibilities 
for Bob. First, that he quantizes his own observations before 
his recovery attempt ("hard" decoding) and, second, that he 
bases his recovery attempt on his un-quantized observations 
(strictly better "soft" decoding). 

We do not consider authentication in our proposed secret 
key generation system |26|-|28|. Therefore, our system does 
not address active attacks such as man-in-the-middle attacks. 
One could always first authenticate the validity of Alice and 
Bob by using public key cryptography before invoking our 
secret key generation system. 

B. Notation and outline 

Unless otherwise specified, we use upper case letters, e.g., 
X to denote random variables and bold uppercase, e.g., 
X to denote random vectors; x and x are their respective 
realizations. If X is a complex random variable, we use 9^(X) 
and 0^(X) to denote, respectively, the real and imaginary parts 
of X. We use X ~ CJ\f{m^ a^) to denote a complex Gaussian 
random variable X with mean m, variance a^, and with real 
and imaginary parts independent and identically distributed. 

The rest of the paper is organized as follows. In Sec. |Il| we 
provide background material on the OFDM channel model. 
In Sec. |Ill| we define secret key capacity and introduce the 
measurement model. In Sec. llV| we evaluate the secret key 



capacity for various channels of interest, and draw a number 
of useful lessons for designs. In Sec.|V]we describe our designs 
and algorithms. In Sec. IVl] we provide numerical results for 
typical 802.11a parameter settings and secret key capacity. 
We conclude in Sec. |VII[ Some proofs are deferred to the 



Appendix. 

II. Channel Diversity: An OFDM Example 

In this section, we introduce diversity signaling technique 
used in OFDM system. We then characterize the channel 
coefficients which represent the channel diversity and from 
which we extract our secret keys. The OFDM model we use 
follows closely that introduced in p5|. 



A. OFDM signaling 

Let T denote the signaling duration and W denote the two- 
sided bandwidth of a wireless link with M = TW. An OFDM 
system transmits M orthogonal signals. The transmitted signal 
s{t) can be represented as 

M-l 

s{t) = Y^ SnMt). < t < T, (1) 

n=0 

where the Sn are the information-bearing signal coefficients 
and the ^n(^) are the orthogonal modulating waveforms or 
"tones". In OFDM the Fourier basis is used, i.e.. 
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where A/ = ^. The received signal r{t) is r{t) = h{t)^s{t)-\- 
w{t) where h{t) is the communication channel, assumed to be 
time-invariant during the two-way training, w{t) is the receiver 
noise, and * denotes continuous -time convolution. We model 
w{t) as a complex zero-mean white Gaussian noise process 
with autocorrelation function E[w{ti)w'^{t2)] = a^S{ti — ^2) 
where S{-) is the Dirac delta. 

We discretize the observation r{t) by projecting it onto the 
orthogonal basis functions ^n(^) to produce 
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r{tm{t)dt = HnSr, 
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where 



Hn 



Vfh(t)(t)i{t)dt 



is the frequency domain channel coefficient at the rr^ tone 
and the 
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w{t)<i>l{t)dt 



are independent zero-mean complex Gaussian random vari- 
ables of variance a^ . 

Wireless multipath channels h(t) are well modeled in p5| 
as having an echo-type impulse response. In particular, let 

h{t) = J2PkS{t-rk) (4) 

k=i 

where Np is the total number of propagation paths, and 

T/e G [0,rmax], ^max and Pk are the delay, the delay spread 



and the complex channel gain associated with the k^^ path. 
Since Tk is typically much longer than the speed of light 
divided by the carrier, each (3^ is well modeled as having 
uniform random phase. Also, since the scaterring objects are 
distinct, ^k are well modeled as independent random variables. 
We incorporate an exponential power-delay profile where the 
variance of /3k decays with Tk. 

The frequency domain channel coefficients Hn, < n < 
M - 1 are 



Hn 



Np 
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(5) 



(6) 



where in ^ we approximate Hn by quantizing the Tk into M 
delay bins and aggregating the effect of the /3k terms into the 
h£. Each bin is of length Tbin = l/W and 



N^ 



hi = V^ /^/^fcsinc 



k=l 



^'w-^^ 



E 



/3k- 



(7) 
(8) 



The variable h^ is the sampled or time domain channel 
coefficient associated with the £^^ resolvable delay bin. If there 
are many /3k associated with each bin, as is the case for rich 
multipath, the h^ are well approximated as zero-mean complex 
Gaussian random variables; a further approximation justified 
by the central limit theorem. 

In OFDM channel, Tmax ^ T, thus only the first few delay 
bins have physical paths contributing to them, similarly only 
the first few hi will be significant. Say the first L < M 
sampled channel coefficients are significant, then we further 
simplify our approximation of Hn as 



Hn 



1 



L-l 



^^^ £=0 



(9) 



where we have neglected the effect of the tails of the sine 
waveforms in ^. 

The hi is well modeled as having uniform phase (as 
remarked following Q) and having a complex Gaussian distri- 
bution (as remarked following ([8|). Since the paths aggregated 
into distinct hi are typically reflections from distinct scatters, 
the L non-zero hi are also often well modeled as being 
statistically independent. However, the hi are not identically 
distributed; the variance is roughly inversely proportional to 
Tk as the result of the exponential power-delay profile on /3k . 
On the other hand, Hn exhibits Gaussian characteristic under 
rich multipath with variance cr'jj. Following from (pi, we have 



N„ 



al = E[\H^\']=Y^E[\Pkn 



k=l 



which does not depend on n. Hence, while the Hn are not 
independent, they have the same marginal distribution. 

We note that if there are only a few transmission paths, the 
assumption that channel coefficients are Gaussian distributed 



no longer holds. However, we are using Gaussian model as 
an example to illustrate the importance of exploiting channel 
diversity, which is actually not limited to Gaussian case. 

B. Signal-to-noise ratio 

As mentioned above, when multipath is rich, i.e., Np is 
large, the Hn can be well modeled as CA/'(0, cr|^). We define 
the per- tone SNR as 



CAT/? - ^[^'] - ^^ 



(10) 



Also as discussed above, hi is well modeled as CA/'(0, cr^(^)). 
We can thus define the time-domain SNR as 



SNRr{i) 



^m 



'W 



It can be shown that we have the relation 

L-l 

"^SNRriti ^M -SNRf. 



(11) 



(12) 



l=Q 



If the sampled channel coefficients have equal variance, the 
relationship simplifies to 

SNRr ^ ^SNRf. (13) 



III. Secret key systems: Definitions and 

MEASUREMENT MODEL 

In this section we introduce the measurement model, secret 
key generation system, and study the secret key capacity. 

A. System model 

Secret key generation system has been studied by many 
authors. In particular, the authors in ||5|, J6J study the funda- 
mental limits on the achievable secret key rates. We state their 
results for reference in the context of our application. 

Definition 1. A length-N secret key generation system over 
alphabets Xa-,^b-,^-,S is a triplet of functions (f, qa, Qb): 
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^ ^^^, 


(14) 


^ 5™, 


(15) 


^ X^- 


(16) 



We interpret this definition in the context of the system 



operation described in Sec. |I-A[ The function / maps Alice's 
source of randomness into the secret key. The function qa 
defines the public message Alice sends to Bob. The function 
qb is Bob's decoding function that maps his observation and 
the public message into his estimate of Alice's observation. If 
Bob's estimate is correct applying /(•) to it will recover the 
key. 

Given a source of randomness Px^ ,x^{^a^^b)^ where 
^A ^ "^A ^^^ ^B ^ "^B ^ Ih^ secret key capacity is the 
supremum of achievable secret key rates. An achievable secret 
key rate is defined as follows. 



Definition 2. A secret key rate R is achievable if for any e > 
and N sufficiently large, we have: 

NR\og\IC\-H{f{X^))<e, (17) 
Pr [f{X^) + f{9B{Xl,9A{Xl)))\ < e, (18) 

^I{f{X^);gA{X^))<e. (19) 

The first inequality implies that the secret key is nearly 
uniformly distributed. The second inequality upper bounds the 
probability of error in key recovery. The final inequality is the 
secrecy guarantee, i.e., that the public message tells you little 
about the key. 

The above definitions are often stated for a setting in which 
an attacker (Eve) has access to a correlated measurement 
of the source as well as the public message. We do not 
include this possibility in the definitions as stated herein due 
to the source of randomness we study. We will characterize 
secret key capacity for an OFDM system where the correlated 
observations X^ and X^ are functions of the underlying 
channel law (the Hn or the hi of Sec. [ll]). In a rich scattering 
environment the channel law between two users changes 
utterly if either moves more than a few wavelengths (a few 
centimeters for an OFDM system). Therefore an eavesdropper 
would have to be positioned extremely close to either Alice 
or Bob to get useful channel observations. This is one of the 
inherent strengths of this source of randomness - it is difficult 
to eavesdrop. And for this reason we ignore the possibility of 
eavesdropping throughout the rest of the paper. (In contrast, 
the public message is easy to intercept, and so we must assume 
Eve has knowledge of that message.) 

In J6J the following theorem is shown 

Theorem 1. For a discrete memoryless source 
Px^,x^{^a^^b) ^^^ secret key capacity is 



C 



1 



lim —I{Xa, 



N. vN\ 



(20) 



assuming the limit exists. 

B. Measurement model 

The sources of randomness we work with in the paper are 
noisy measurements of the channel coefficients. Alice and Bob 
each sends an identical and known sounding signal s{t) to the 
other. For simplicity we assume each signal coefficient 5^ = 1. 
(Equal-power sounding is known not always to be the best 
choice, see |8|.) We assume that the channel remains static 
during this two-way training. The period in which a wireless 
channel is roughly static is termed the coherence period. Thus, 
this two-way training is assumed to occur within a single 
coherence period. 

Under this channel assumption we model Alice and Bob's 
measurements as 



Ha.u — Hn 
Hb.u = Hn 



-UJA,i 

-ujb:, 



(21) 



respectively, where WA,n, u)B,n ^ CA/'(0,(T^) are indepen- 
dent sources of noise. We notice that the phase offset caused 



by the local oscillators may add extra noise to the measurement 
p5l , J26J, p6| . We defer the discussion of phase offset to the 
end of this section. 

The frequency domain correlation coefficient between Alice 
and Bob's observation at n^^ tone can be shown to be : 

SNRf 



Pf 



(22) 



1 + SNRf 

Note that the correlation pf between Ha^u and Hb^u is equal 
to the correlation between 9l{HA,n) and Dl{HB,n) and is also 
equal to that between 3{HA,n) and 3{HB,n)- We can also 
consider the time domain observation as: 



hA,£ = ^{hA/) ^j3{hA,£) = hi^ nA,£ 
hB/ = ^{hB,i) + j^{hB/) = hi^ ub/, 



(23) 



where h£ ^ CA/'(0, cr^(^)) is the sampled channel coefficient 
and ub/, ua/ ^ CA/'(0,cr^) are the noises. Similar to the 
correlation in frequency domain, the correlation coefficient in 
£th sampled channel coefficient is given as: 

SNRr[l) 



Pr{i) = 



(24) 



l^SNRrii)' 

Note again that the correlation coefficient Pr{^) between 
hA,£ and hB,£ is equal to the correlation coefficient between 
^{hA/) and 9l{hB,£) or equivalently equal to that between 
3{hA,£) and 3{hB,£)- 

To get to the long block-lengths possibly required to ap- 
proach secret key capacity, we repeat this two-way channel 
sounding across multiple channel coherence periods. The 
channel is assumed to be independently and identically dis- 
tributed across coherence periods. Say that within each period 
Alice and Bob generate channel observations hA,£ and hB,£, 
respectively, for £ = 1,2,...,L. Further, say they do this 
for n coherence periods yielding measurements hA/[i] and 
hB,i[i] for z = 1, 2, . . . , n. They stack their observations into 
the length- A/" real vectors, where N = 2nM as follows: 



X 
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^(^A,l[l]) 
^(^A,l[l]) 

^(^a,l[1]) 
^(^a,l[1]) 

^(^A,l[2]) 

^{hA,L[n]) 








X 



N 



^(^b,l[1]) 
^(^B,i[2]) 

^{hB,L[n]) 








(25) 



where the padding is with 2nM — 2nL = 2n(M — L) zeros. 
These are the degrees of freedom lost due to the fact that the 
last M — L coefficients in each block are zero, cf. ([9]). Were 
the approximation that the last M — L coefficients in each 
block were zero to be exact, then due to the i.i.d. assumption 
across coherence blocks, the limit in ( [2Q| would exist and 
would evaluate to 



C = 



lim —I(X^;X^) = -^I(h 



A'^ ^b) 



(26) 



where h^ and h^ are, respectively, the length-L complex 
vectors of observations made by Alice and Bob. While the 
definitions provided in Sec. |III-A| are for finite alphabets, 
the extension to continuous alphabets follows from standard 
limiting arguments. 



C Phase Offset 

We have thus far implicitly assumed the perfect synchro- 
nization between Alice and Bob. In practice, however, Alice 
and Bob measured channel parameters may be effected by the 
phase offset caused by the local oscillators of both transmitters. 
Since phase synchronization is not perfect, there is a phase off- 
set during each channel sounding. Furthermore, the frequency 
generated by local oscillators continuously fluctuates (or drifts) 
around its center frequency, causing a time dependent phase 
drift. There are many existing techniques developed to mitigate 
the effect of such phase offset (see p6| , | [26| and the references 
therein). 

Since the signal duration is very small in a channel training, 
we assume that during each channel sounding phase offset 
caused by oscillator frequency drift is negligible, i.e., the 
phase offset is time invariant. However we do not assume it 
is negligible across channel trainings, i.e., between coherence 
intervals. Denote the phase offset caused by Alice and Bob's 
local oscillators as 6a and 6b respectively. The offsets can be 
incorporated into Alice's and Bob's measurements as h^e^^^ 
and h^e^^^ cf. dSj). Since phase offset is differential, without 
the loss of generality, we can incorporate the error into Bob's 
measurement and write h^ and h^e^^ with 6 = 6b — 6a- 
Then the unnormalized secret key capacity in ([26]) becomes 



I{h\;hj^e^<^). 

We show that by exploiting the channel diversity, one can 
mitigate the effect on the secret key capacity caused by phase 
offset. First, note that 



/(/i|e^"; /li, e^') = I{h%ei'; /i^) + I{h%e^'; e^'\h^^) 



= I{h'^^^ 



Be-' 



e^^) + !{]% 
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B^ 



h'lW)- 



Then we can write: 



I{h%e^'; h\) =I{h%e^'; h^\en + Hh%e^''. e^') 
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I{h^Be^';e^' 



\h^A) 



=I{h^B'.h^A)^Hh^Be'';e^') - I{h^Be'';e^'\h^A) 

(a) _ _ 

>I{h^;h^) 



I{h^Be'';e^' 



--I{h^B'.h^)-He'';h^,h^Be'')- 



(27) 



IS 



Inequality (a) is equality (I{h^e^^;e^^) = 0) if h 
circularly symmetric complex Gaussian vector since h^ and 
h^e^^ have the same distribution. The last equality follows 
because e^^ is independent of hj^. The second term on the right 



hand side of (27 ), I{e^^; /i^, h^e^^), is the secret key capacity 



loss caused by the phase offset and it is the decrease in 
uncertainty about the unknown offset e^^ given the knowledge 
of h^ and h^e^^ as measured in bits. Note that because h^ 
and h^e^^ have the same distribution nothing can be learned 
about 6 by observing h^e^^ only. However in combining 
with the knowledge of hj^ one can better estimate 6 because 



Zh^e^^ — Zh^ -\- and Zh^, Zh^ are dependent random 
variables. Thus we get L independent looks at 6 with additive 
noise (since hj^ and h^ each has L independent entries). Note 
that because of the additive noise, it is impossible to estimate 
with infinite precision. 

Since ^ is a scalar the loss term does not scale linearly in 
L. By the Cramer-Rao bound we know that variance of the 
estimate of 6 can drop at most as -^ which means for general 
distribution the loss should scale as log L. In other words, as L 
becomes larger while one can potentially get better estimate of 
from channel observations, the loss is scaling more slowly 
than the gain from the first term on the right hand side of 
( [27] ), which scales linearly in L. This supports our claim that 
channel diversity should be exploited, both as a way to boost 
secret key capacity and to mitigate the phase offset. 

Later in Sec. [V] we will show how the LDPC design can be 
adapted to perform the estimation of phase offset. 

IV. Secret key capacity calculations 

We are now in position to evaluate the secret key capacity 
for various channels of interest. In Sec. IIV-AI we first do 
this for the general OFDM model of time-domain channel 
coefficients. Then, to ease analysis, we focus on an idealized 
model wherein all sampled channel coefficients have the same 
variance. This simplification allows us to draw a number of 
general lessons on secret key generation for OFDM channels. 
In Sec. |IV-B| we quantify the (quite large) reduction in secret 
key rate when only received signal strength indicator (RSSI) 



information is available, as opposed to full CSI. In Sec. |IV-C| 
we discuss generating keys separately from the amplitude and 
phase of the CSI, as opposed to the real and imaginary parts. 

A. Secret key capacity based on CSI 

We now evaluate ([26]) in terms of the SNR of the channel. 
Due to the fact that h^ and h^ are jointly complex Gaussian 
and i.i.d. in time, we have 
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^log 
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-^SNRrii) 



2n 



(28) 



where the approximation follows from the fact that the last 
M — L sampled coefficients are approximately zero. If the 
sampled coefficients have equal variance, the capacity simpli- 
fies to 

2n 



c 



L 

'2M 



log 



1 



SNRr 



(29) 



l^SNRr^ 

Note that the correlation coefficient in time relates to that 
in frequency as: 

^ M-SNRf ^ Mpf 

^^^ L^M-SNRf L^{M-L)pf' ^ ^ 

In the remainder of this section we focus on an idealized 
model wherein all sampled channel coefficients have the same 
variance. We let Ha/, Jib/ ~ CA/'(0,cr^) where a^ = a^ + 
a^. Note that 9^(/ia,£), ^{hs/) have correlation coefficient 
Pr defined in (30) and 3{hAj), 3{hAj) also have the same 
correlation coefficient pr. The secret key capacity between 
Alice and Bob now reduces to ([291. 



B. Secret key generation based on measurements of RSSI 
In this section we compare the secret key capacity given 



sampled channel coefficients (29) to the secret key capacity 
if only receiver signal strength indicator (RSSI) values are 
available. Since RSSI summarizes the true vector of channel 
state information, there will clearly be a reduction in secret 
key capacity if only RSSI values are made available. In 
fact the reduction is dramatic. From a technological point 
of view, most off-the-shelf wireless transceivers make only 
RSSI values available to the upper layers, not the channel 
state information. This section demonstrates that making full 
CSI available would greatly help the ability to generate secret 
keys. 

To calculate the secret key capacity based on RSSI values, 
let Ra and Rb denote the RSSI values received by Alice and 
Bob. In an OFDM system, the RSSI takes the form |37|: 



L-l 



L-l 



RA=Y.\hAA'=T.[\^(^^ 
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where 



Xa, 
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if 0<£< L-l 



mhA,i)\' 

\3{hA/-L)\^ if L<£<2L 



1 



The quantities Rb and Xb/ are defined similarly. Further, 
Xa/ and Xb/ are A/'(0, ^) Gaussian random variables with 
Pr = EIXa^XbA for all L 

Both Ra and Rb are non-standard chi- square distributed 
random variables with 2L degree of freedom. The joint 
probability density function of a pair of chi- square random 
variables is given in Theorem 2.1 in |38| and we use it to 
numerically calculate the mutual information between Ra and 
Rb, denoting the secret key capacity calculated as: 

Cr = i^I{Ra;Rb). (31) 

When L is large, Ra and Rb can be well approxi- 
mated as Gaussian random variables A/'(2L,4L) due to the 
central limit theorem. The mean and variance for Ra and 
Rb can be calculated as E[Ra] = ^£=o ^[^Ai\ ^^^ 
var{RA) = "^£=0 var{X\ ^) using the identities E[X\ ^ = 
l,E[X\^] =?>,2in&E[{X\\-E[X\^]Y] = 2, which follow 



from the variance normization. 
between Ra and Rb is 



The correlation coefficient 



PR 



E[{Ra-2L){Rb-2L)] 

4L 

E[{XX,-l){Xl,-l)] 



(32) 



where the joint moment generating function of Xa,£ and Xb/ 
is: 

We calculate the joint moment E[X\ ^X^ ^] by taking second 
order partial derivatives of M(si, 52) respect to si and S2 and 
evaluate the result atsi=0, ^2 = 0. Equation ([32]) can be 
reduced to: 



PR = Pr^ 



(34) 
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Fig. 1. Secret key capacity when L = 2, 5, and 10. M = 10 

and the secret key capacity based on RSSI under Gaussian 
approximation is then: 

1 , / 1 



Cb = 



4M 



log 



1 



Pi 



(35) 



Observe from ( [35] ) that the secret key capacity does not 
depend on L. In other words, at a given SNRr, while the 
capacity between coefficients increases linearly with L as 



shown in equation (29), the capacity between RSSI stays the 
same. This is because there is only one single RSSI value 
regardless the number of observations. In Fig. [T] we compare 
the capacity obtained from channel coefficients and from RSSI 
for L = 2,5 and 10 with M = 10. The secret key capacity 
between the channel coefficients is calculated using ([29]) and 
that between RSSI is calculated both using numerical pl\ and 



Gaussian approximation ( [35] ). We first note that the secret key 
capacity obtained from the channel coefficients increases with 
L, whereas that based on RSSI stays constant. We also note 
that the Gaussian approximation is quite accurate, even when 
L is rather small. 

C. Representing complex channel coefficients by their real- 
and- imaginary parts or by their magnitude -and-phase 



Recall that the secret key capacity (26) is the mutual in- 
formation between the sampled channel coefficients observed 
by Alice and Bob. In this section we show this capacity 
is at least as large as the sum of the mutual informations 
between the magnitudes of the channel coefficients and that 
between the phases of the channel coefficients. This is because 
while marginally the channel coefficients observed by Alice 
and Bob are circularly symmetric (and thus their magnitude 
and phase are independent), the correlation between Alice 
and Bob's channel coefficients means there is dependence 
between Alice's phase and Bob's magnitude and vice- versa. 
Thus, the secret key should not be generated by treating 
phase and magnitude separately. On the other hand, the real 
parts of Alice and Bob's coefficients are independent of the 
imaginary parts. Thus, without loss of capacity the key can 
be generated treating the real and imaginary parts of each pair 
of observations as separate pieces of independent randomness. 



Fig. 2. Comparison of the secret key capacity to the sum of the mutual 
information between the magnitude of the observations and that between the 
phases. 



This is the reason behind our choice of definition of X^ and 



X'^ in (25). 



This idea is encapsulated in the following theorem. For 
simplicity (and because the sampled channel coefficients are 
independent) we focus on a single pair of observations. Ha 
and Kb- 

Theorem 2. If Ha, cind Hb ~ CA/'(0,(T^) are jointly complex 
Gaussian random variables, we have: 

I{hA\ he) = imhA); 9^(/ib)) + I{3{hA); J(/ib)) 
>I{\hA\;\hB\) + mh,;^hs)- 

Proof: See Appendix |A| ■ 

In Figure [2] we illustrate this result for a range of SNR. 

We plot the capacity /(/ia; /^b), /(I/^aI; |/iB|) + /(^/i^; <^/ib)' 
as well as the two terms of the latter, /(^/j,^; $/j,^) and 
/(|/i^|; |/ib|)- The gap to capacity is evident at all SNR. It 
is also worthwhile to note that most of the information is in 
the phase information, /(|/i^|; |/ib|) is much smaller. This is 



another illustration of the lesson of Sec. |IV-B] as the magnitude 
information is the RSSI of this example. We reiterate that the 
reason for the gap to capacity is that the pairs ( | /^^a U ^b | ) 
is not statistically independent of {^hAy^hs) ^^^ to the 
correlation between real and imaginary parts of Ha and Hb- 



V. Design and Algorithms 

In this section we describe a key reconciliation system 
based on low-density parity-check (LDPC) codes. The basic 
idea behind our design is the following. Alice and Bob have 

cf. (25), and shared 



correlated observation X^ 



and Xf , 



knowledge of a LDPC code. First, Alice makes a quantized 
version X^q of her observation X^. Generally X^q will 
not be a codeword of the LDPC code, but it will always be 
an element of some coset of the code. She determines this 
coset by calculating the syndrome of her observation, which 
she sends to Bob. Thus, the syndrome is the public message 



in ( 15 ). By itself the syndrome reveals little information about 
the source since there are so many sequences in the coset. This 



is why this construction satisfies the secrecy condition of ( 19). 
However, with knowledge of the coset and of his observation 
X^ , Bob can "de-noise" X^ to recover X^q by decoding 
the LDPC code with respect to the known coset in which 



B. Design based on non-binary LDPC codes 



N 



Xj^ Q Hes while treating Xj^ as a noisy observation of Xj^ 
All cosets inherit the distance properties of the LDPC code, 
which gives the needed robustness to the random differences 
between X^ and X^. It should be noted that this is a well- 



understood method for tackling these problems, see, e.g., p9| . 
Our contribution is really the prototyping of this system for 
the random source of interest (wireless channels) and some 
design for non-binary quantization. 



In Sec. V-A we provide some background on LDPC codes 
and how they fit into the key generation framework of Def . [T] 
In Sec. |V-B we describe the algorithm implemented for non- 
binary (four-level) quantization. 

A. Background, setup, and secrecy analysis 

A length-X rate-i? LDPC code over GF{q) is characterized 
by its mxN parity check matrix P with elements drawn from 
GF{q) where R = {1 — m/N) log2(^) bits per channel use. 
The parity check matrix of a LDPC code is low-density in 
the sense that the number of non-zero elements of each row 
is upper bounded by some constant, regardless of the block- 
length N. Thus, most elements of P are zero. A regular LDPC 
code has a constant row-weight (number of non-zero elements) 
and a constant column-weight. An irregular LDPC code has 
a set of row and column weights, where the fraction of each 
is specified by a degree distribution polynomial. 

In producing X^q Alice has a choice of quantization. 
In our design she performs scalar quantization, quantizing 
each element of X^ independently. Further, we study two 
quantization alphabets: the first where each of the N elements 
of X^Q is binary, the second where each is quaternary. Bob 
may choose also to quantize his observations prior to decoding, 
but there will be a loss in information (and thus performance) 
if he does so. If Bob also quantizes his observations, he is said 
to perform "hard" decoding, while if he does not he is said to 
perform "soft" decoding. 

Alice creates her public message by multiplying her ob- 
servation X^Q with P to produce the length-m syndrome 



gm^ gm ^ PX'Iq, where m = N[l - R/log^iq)]. Within 
each coset there are 2^i°g2(?)(i-^/A^) = 2^^ sequences. As 



long as NR < /(X^.g;Xf ) then recovery of X^q (de- 
coding) will be reliable. It can be shown that, H{X^^q\S'^), 
the uncertainty in X^q given the knowledge of the public 
message S^ is at least NR. This means that the uncertainty 
in X^Q given knowledge of the public message S^ is 
exactly the same as the size of the coset. Thus, if the key 
extraction function /(•) first quantizes X^ to get X^q and 
then sets the key to be equal to the index that identifies 
X^Q within the coset of the LDPC code in which it lies, the 
mutual information of this index with S^ will be arbitrarily 
small, satisfying the secrecy condition ([19]). Finally, since 



R < (l/X)/(X^g;X^) for successful recovery, we get the 
upper bound on the achievable secrecy rate approaches (20) 
as the quantization gets increasingly fine. 



In Sec. VI-B we present simulation results for two key 
generation systems based upon LDPC codes. In the first Alice 
uses binary quantization to produce X^q and in the second 
she uses four-level quantization. In this section we describe 
the design only for the four-level (non-binary) quantization as 
the one for binary quantization is based upon standard LDPC 
decoding techniques. 

To simplify notation, in this section we use Xi to represent 
the ith element of Alice's quantized observation X^q and 
yi to represent the ith element of Bob's (not necessarily 
quantized) observation X^ . As our discussion is for four- 
level design, Xi G {0,1,2,3}. Similarly Si is the ith element 
of S^, also in {0, 1, 2, 3} as are all elements of P. To simplify 
the design, rather than working with a code with elements in 
GF(4) we split each x^ into bit planes, representing each Xi 
by a pair of binary symbols Xi^M and Xi^L, each taking the 
respective value in {0, 1} that satisfies 



Xi L -\- 2Xi, 



M- 



(36) 



We can now apply a pair of length-X binary LDPC code, 
one to each bit plane, or a length-2X binary LDPC code to 
the concatenation of the bit planes. We implemented both 
and, while the latter generally has the higher performance 
(though not by too much), the former allows more flexibility 
(e.g., in reconstructing only the most significant bit plane or 
sequential reconstruction) and is slightly simpler to implement. 
We choose to present our results on the former, using C^, 
Pq,, and 5^" to represent, respectively, the code, the parity 
check matrix, and the syndrome associated with x^ - the 
sequence of concatenated Xi^^ where a G {L, M}. We note 
that Cm and Cl need not be the same rate so tum 7^ ^l in 
general. However, in all our simulations we choose Pm = Pl, 
where equality is element- wise, so Cm = Cl- Recall that the 
syndrome is calculated as s^" = P^x^. 

To visualize the two binary LDPC codes and to see how to 
relate them to the observation i/i we depict the constraints 
involved in the key generation process in Fig. [3] using a 
factor graph |40|. The factor nodes Fi constrain the triplet 
of variables (x^, x^^^, x^^m) to satisfy the relationship of (36). 
In particular. 



Fi{Xi,Xi^M,Xi^L) 



if 

else 



Xi,L 



ZXi 



i,M 



We attempt to recover Xj^ g, based on knowledge of y^^ and 
S'^^ and S^^, by using the sum-product algorithm. In this 
algorithm messages that approximate conditional probability 
distributions are iteratively passed along the edges of the factor 
graph. We use the parallel message passing schedule, have all 
factor nodes send messages to all variable nodes, and then 
vice-versa; continuing until either the messages converge or 
some maximum number of iterations is reached. For more de- 
tails of these standard aspects of the implementation see | [40| . 
In the remainder of this section we indicate the form of the 
message updates required for the non-binary case. 

We use the following symbols to represent the messages 
passed. The message sent from node Xi to node Fi and 




For example: 
1 



/ia,.^F,(2)/ia;,,i.^Fi(0) + /i^r 



^Fi 



(3)/i:r 



.(1) 



= Z\ ^^'^^^ i^)^oc,,L^Fi (1) + ^Xi^Fi {0)^x,^L^Fi (0) 

where Z is given by 

Z = IJ^x.^Fi (2)/ia,.^^^F, (0) + IJ^Xi^Fi {^)llxi,L^F, (1) 
+ I^Xi^Fi {^)l^Xi L^Fi (1) + I^Xi^Fi {^)l^Xi L^Fi (0). 



The log-Hkelihood for Xi^M is log 



Mf^- 



r(0) 



r(l) 



which 



Binary LDPC Code 



Fig. 3. Factor graph of 4-ary LDPC codes. Nodes xi^m and Xi^L connect 
to the check nodes of different binary LDPC code. They are connected by 
local function Fi which regulates them according to the value of Xi . 



from node Fi to Xi are, respectively, denoted jj^Xi^Fiixi) and 
liFi^xii^i)- We use M{p) to denote the neighbors of a given 
node p. The summary operator X]~|p| i^^ans summation over 
all variables except p and the notation J^{p)\{q} means the 
set of neighbors of p except q. We now detail the form the 
general sum-product update rules specialized for our problem. 
The message passed from variable node Xi to Fi are 
calculated as 

IJ^Xi^FiiXi) = Yi l^t^xAXi) 

teM{x,)\{F,} 

~ l^yi^Xi\Xi)- 

As there is no marginalization at variable node Xi, the 
message passed to Fi is the same as the incoming message 
from yi, 

f^yi^>-Xi\^i ) ^i\^i)i 

where the local function Gi{xi) is the channel evidence 

Gi{xi) =px,\YA^i\yi)- 

The messages passed from factor node Fi to each of the two 
binary variable nodes Xi^a where a G {M, L} is calculated as 

I^Fi^Xi,o.{^i,a) 
= ^ Yl i^ii^i^^iM^^i.L) Yi l^t^Fiit)], 

^{x^,c.}^ teXiF,)\{Xi,o.} ' 

where Z is a normalization factor, 

^ = X] X^ \Fi{Xi,Xi^M,Xi,L) W llt^FX^)]- 



serves as the channel evidence for the binary code Cm- 
Similarly, variable node Xi^F calculates the channel evidence 
for Cl. Based on these messages, the messages passed in the 
LDPC codes are standard messages where the s^"^ make sure 
that the decoding is performed with respect to the correct 
cosets. This aspect is the same as when LDPC codes are 
used in Slepian-Wolf distributed source coding problems, e.g., 
see |41 1. The messages passed from the LDPC codes back to 
the Fi are iix^^m-^fA^i^m) and /j.x^^^^F,{xi,L)- 

Finally, the message passed from Fi to variable node Xi is 
calculated as 



I^Fi^xA^i) 



l^t^F, {t) 



teJ\fiF,)\{x,} 



Z 

-y 

-^{Xi) 



where Z is the corresponding normalization factor. For exam- 
ple: 



Fi{Xi, Xi^M, Xi^L)l^Xi,M^Fi {Xi^M)l^Xi,L^Fi {xi^l) j , 



.(iK,,,^^,(o)^. 



MF,^x,(2) — — ( flx^,M^F, 



where Z is 

Z = f^x,,M^F, {0)^x,,L^F, (0) + ^x,,M^F, {^)^x,,L^F, (0) 
+ f^x,,M^F, W^x,,L^F, (1) + ^x,,M^F, {l)^x,^L^F, (!)• 

Eventually, the messages either converge or the maximum 
iteration count is reached. In our simulations we set this 
maximum to 50 iterations. When the messages converge the 
marginals are computed as the following up to a scaling factor. 

Filxi = a](x iiy^^x^{a)iiF,^xA(^)i 

where a G {0,1,2,3}. The algorithm sets its estimates 
symbol-by- symbol as Xi = argmaXaPr[xi = a]. 

We now present the initialization of our algorithm. GF(4) 
variable nodes Xi are initialized as: 



^{X.,c.} 



teAriF,)\{x,,c.} 



l-^yi^>-Xi\Xi) — ^ix^iji 
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whereas GF{2) variable nodes Xi^M are initialized as: 



_ 1 



E 



teJ\r{F,)\{xi,M} ^ 

At this step the values x^^l can all be set to have equal 
probability as this is the best estimate xi^i^ can be set to 
initially. In other words, the foregoing equation reduces to: 

1^ 



^ X^ \Fi{Xi,Xi^M,Xi,L)[^Xi^F, 



(^i)^ 



Therefore, the message initializing Xi^u is iiFi^xi^m^) — 
\\\^xi^FX^) + \^x,^fX^)\ Its corresponding log- 



likelihood is log 



which serves as the initial 



channel evidence in GF{2) for Cm- The message initializing 
Xi^L can be similarly derived which serves as the initial 
channel evidence in GF{2) for Cl- 

C. Phase Ojfset Estimation 



As discussed in Sec. |III-C| the phase offset during two- 
way channel training will degrade the quality of the channel 
measurement. Therefore, one needs to implement phase offset 
suppression techniques such as phase estimation | [26| , | [36| , 
| [42| . In this section, we present a novel approach that in- 
corporates the estimation of phase offset into the design of 
reconciliation process. 

For the ease of presentation, we assume the phase offset is 
constant across multiple channel trainings. Our idea can easily 
be extended to the situation where phase offset is time varying. 
We propose a joint phase offset estimation and reconciliation 
process, formulated as: 



{x'\ 9') 



{x^,e' I Px^ 



argmax pxN\YN{x^e^^ 



'G[0,27r]} 



\y 



Nje 



(37) 



Incorporating the task of phase offset estimation as in ( 37 ) into 
the reconciliation process puts an extra burden on the codes. To 
support phase offset estimation, the code rate should be lower. 
This reduces the cardinality of the coset that specified by the 
syndrome as is illustrated in Fig. |4] The lower code rate means 
a lower secrecy rate, reduced by the loss in (27 ). Fig. [4] depicts 
the coupling between this lowered rate and the joint decoding 



problem in ( [37] ). If the code rate is lower (a larger syndrome 
is used as the public message), then for a given optimal 0' 
parameter in ( 37 ) there will be fewer coset elements x^ such 



that Vx 



N 



that yields a high probability (right oval in 



Fig. [4]). If the original code rate is used, then there will be 
many high probability coset elements (left oval in Fig. [4]) and 
the decoding will be erroneous with high probability. 

While the above discussion indicates a generic approach, 
we now show how to integrate this search into our message 
passing algorithm. We propose a joint phase offset estimation 
and reconciliation procedure by concatenating an extra vari- 
able node 9 to all the check nodes G^, i = 1, 2, . . . , A/", where 6 




Fig. 4. Cosets of different LDPC code rates are shown as ovals. The one on 
the left corresponds to higher code rate. It contains many candidate codewords 
thus {37) may have non-unique solutions. The oval on the right is sparser, 
corresponding to a lower code rate. Thus it is possible to have a unique 
solution to {37). Phase rotation 0' in ([37) is represented as the dashed line. 



denotes the random phase offset between Alice and Bob. We 
assume the is discretized such that it can only take some 
finite values. Then by passing message to and from variable 
node 0, one could obtain the estimate of 6. The algorithm 
works as follows. 

The message passed from 6 to Gi is 

^e^Gm= n /^^^^W- 

teM{e)\G^ 
The message passed from Gi to Xi is 



/iG,^x,(^i) = 



1 






z ^^ 



(38) 



Px,e\Y,{xi,0\yi)/j.e^GA^) , (39) 



where Z is some normalization factor. The message passed 
from Xi to Gi is 

/J^x,^G,{Xi) = llF^^xA^i)' (40) 

Finally, the message passed back to is 

/iG,^^(6>) = ^Y^ fpx„^|y,(^i,6>|^i)/i^,^G,(^i)j, (41) 

where Z is some constant. To initialize the algorithm, one 
can choose the uniform distribution over all the values the 
variable can take. 

Our design extends to the cases where phase offset varies 
across multiple channel trainings. One can concatenate mul- 
tiple 9 variables, each connecting to all the check nodes 
Gi that belong to the same channel training. The actual 
implementation of this algorithm is left as a future work. 

VI. Simulation results 

In this section we provide simulation results and discussion 
for our proposed secret key generation system. 

A. OFDM simulation results 

We first show the simulation result of an IEEE 802.11a 
channel. We simulate the frequency and sampled channel co- 
efficients and their correlation matrices. Then we numerically 
compute the empirical secret key capacity between Alice and 
Bob based on our simulated time domain channel coefficients 
under different channel environment. 

In Table. |l] we list some channel parameters for a typical 
rich multipath OFDM 802.11a environment |43|. Secret key 
capacity simulated at a particular SNRf is also listed for 



TABLE I 
Channel parameters and secret key capacity 



No. of Tones (M) 


52 


Total Bandwidth 


20 MHz 


Total Data Bandwidth (W) 


16.25 MHz 


Signal Duration (T) 


3.2 /is 


Carrier Frequency Spacing (A/) 


312.5 kHz 


Center Carrier Frequency (F) 


5.18 GHz 


Coherence Time 


100 ms 


Max Delay Spread (rmax) 


800 ns 


Typical Indoor Delay Spread 


40 ns - 1 /is 


Typical Outdoor Delay Spread 


1 /is - 200 /is 


Secret Key Capacity (C) at 20 dB 


1040 bits/sec 



a quick reference. When coherence time is small, the secret 
key capacity becomes large as new randomness is supplied 
at higher rate. However, the relationship between secret key 
capacity and the degree of freedom L ^ [Tmax^l is more 
complicated and depends on the operating SNRf. While the 
scaling is roughly linear in delay spread and bandwidth there 
are second order effects that makes the relationship more 



complicated. This is illustrated in Sec. VI- A2 



1) Channel coefficients simulation: We consider Np = 300 
transmission paths and assume the 52 tones all have the same 
SNRf, cf. ([To]). For simplicity, we choose the maximum 
delay spread r^ax to be 800 ns so that the degree of freedom 
(DoF) L ^ [Tmax^l = 13. Wc rcducc the redundancy 
in the M = 52 frequency domain channel coefficients by 
transforming them into 13 independent sampled channel co- 
efficients. Over each coherence time, we let Tk be drawn 
uniformly from to r^ax and Pk are independent Gaussian 
random variables whose variances are related to the drawn 
Tk through the exponential power-delay profile. We generate 
10^ independent realizations of such channel and construct the 
contour plots of empirical correlation matrices of frequency 
domain channel coefficients and sampled channel coefficients 
as shown in Fig. [5] 

2) Secret key capacity simulation: Secret key capacity 
can be computed from the first L nonzero sampled channel 
coefficients using ( [28] ). We plot in Fig. [6] the secret key 
capacity calculated from sampled channel coefficients. Note 
that the secret key capacity calculated using sampled channel 
coefficients is an approximation. As we see from Fig. [6] the 
total number of bits we can obtain per coherence time is as 
large as 1 x 52 x 2 = 104 bits at 20 dB. It is 1040 bits per 
second when coherence time is 100 ms. 

Simulation in Fig. [6] suggest that there is no single optimal 
OFDM channel which has the best secret key capacity under 
any SNRf: under low SNRf, one would like the channel 
to possess fewer degree of freedom; under high SNRf, one 
would like the channel to have more degree of freedom. This 
is analogous to | [T4| where the authors observe that there is 
a trade-off between the power per degree of freedom and the 
number of degree of freedom. The intuition is also related to 
| [44| where it is shown that peaky signal is capacity achieving 
input to an AWGN fading channel. 

One can also compute secret key capacity from frequency 
domain channel coefficients. Due to page limit constraint we 
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(b) Correlation matrix of sampled channel coefficients 

Fig. 5. OFDM channel coefficients simulation. Note that 13 sampled channel 
coefficients are decorrelated from 52 frequency domain channel coefficients. 
Note that sampled channel coefficients do not have the same variance. 




Fig. 6. Secret key capacity of sampled channel coefficients 

omit the results. 

B. LDPC Performance 

In this subsection we simulate the performance of our error 
correcting code. We allow Alice and Bob to perform multiple 
channel trainings. There are two ways we simulate the error 
correction process to reconcile Alice and Bob's measured 
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Fig. 7. LDPC performance 



channel coefficients. If Bob quantizes his channel coefficients, 
we term the reconciliation a hard decoding process. On the 
other hand, if Bob keeps his unquantized coefficients such 
that 3^ = R, we term it a soft decoding process. In soft 
decoding, the decoder has access to Bob's full unquantized 
channel coefficients which improves decoding performance. 

We let Alice and Bob perform n = 30 independent channel 
trainings yielding a block length of A^ = 30 x 52 x 2 = 3120. 
One benefit of using a large block length is that LDPC code 
performs better under longer block lengths. We generate 400 
independent realizations of such 30 trainings and aggregate the 
secret key bit error from the channel trainings of each. For each 
LDPC code rate, we plot its corresponding SNR which yields 
approximately 10 ~^ secret key bit error rate. The number of 
realization is sufficient as 400 x 3120 is on the order of 10^ 
which suffices to assess system performance at bit error rates 
of 10-^. 

We simulate the performance of our error correcting code 
using the sampled channel coefficients we simulated in Sec- 
tion IVI-All with L = 13. We connect our LDPC simulation 
with the secret key capacity in Section [VI- A2| by putting them 
in the same plot. We plot the capacity when L = 13 and the 
performance of the binary and non-binary (4-ary) LDPC code 
in Fig. |7] The irregular LDPC codes are constructed using 
density evolution technique |45|. We first note that our decod- 
ing performance is improved by using soft decoding and it is 
further improved by using irregular LDPC codes. Non-binary 
LDPC further improves the performance and approaches the 
capacity at high SNRf region. LDPC codes with rate below 
0.25 are not simulated as low code rate means less secrecy. 

VII. Conclusion and future work 

We study channel randomness and propose a practical 
system that generates secret keys from observing the channel 
randomness. We investigate the secret key capacity shared by 
two end users and find that secret key generation based on 
CSI is superior to the key generation based on RSSI. This 
is because the CSI-based method has the larger secret key 
capacity. We suggest that modern receiver circuitry should 
make CSI accessible to upper layer applications. We prove that 



it is always preferable to use the real and imaginary parts of the 
sampled channel coefficients, as opposed to using magnitude 
and phase separately. Our simulation show that it is feasible to 
base key generation on sampled channel coefficients. Finally, 
we implement the key generation system based both on regular 
and irregular LDPC codes. 
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Appendix 
A. Proof of Theorem [2] 

We first show the following lemma. 

Lemma 1. Let X, Y and Z be random variables. If Z is 
independent either of X orofY or both, then 

I{X;Y\Z)>I{X;Y), 

where equality holds if and only if Z is independent of 
{X,Y). 

Proof: Suppose Z is independent of X. Follow the 
definition of mutual information, we have the following, 

I{X; Y\Z) = n{X) - n{X\Y, Z) 

>n{x)-n{x\Y) 

= I{X;Y), 

where %{■) denotes the differential entropy. Equality holds if 
Z is independent of (X, Y). ■ 

We now prove the theorem. 

Proof: We first prove the inequality in the theorem 

I(hA;hB) 

>I{\hA\;hB)+I{e^^^;hB) 

= I{\hA\; |/iB|,e^'*^) + /(e^'^M/isU^'*^) 

= n\hA\;\hB\) + Ii\hA\;e^'^-\\hB\) 

+ J(e^'*^;|/iB|)+J(e^'*^;e^'*«||/iB|) 
(d) 
>I{\hA\;\hB\) + I{\hA\;e^'^n 

+ /(e^'-^-*; \hB\)+ /(e^'*^-*; e^'-^^) 

= i{\hA\; \hB\) + i{\hA\;<pB) + i{4>a; |/ib|) + i{4>a;4>b) 
>l{\hA\;\hB\)+l{cPA;M, 

where (a) and (c) follow from the chain rule of mutual 
information, (6) follows because |/i^| is independent of (J)a 
(cf. Lemma[T]), {d) follows because \hB\ is independent of (f)B 
and (e) follows because mutual information is non-negative. 
This proves the inequality in the theorem. 

The first equality in the theorem is proved by showing 
that the density function of (/ia,^b) can be factored into 



the product of density functions of (9^(/?^a),^(^b)) and 
{3{hA),3{hB)). ■ 
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